日期:2023-03-26  浏览次数:438 次

在不同的AS之间配置BGP4+实现两个AS网络之间可进行路由交互。

组网需求

如图1所示,在IPv6网络环境中,FW_A为企业的防火墙兼出口网关。FW_A通过运营商网络连接到Internet。企业内网的设备之间运行IBGP协议。

运营商网络内部也为IPv6网络。运营商的边界路由器(Router)已配置BGP功能。

FW_A与Router之间建立EBGP连接。

图1 配置BGP4+基本组网图

项目

数据

FW_A

接口号:GigabitEthernet 1/0/1

IP地址:10::1/64

安全区域:Untrust

接口号:GigabitEthernet 1/0/2

IP地址:9:3::1/64

安全区域:Trust

接口号:GigabitEthernet 1/0/3

IP地址:9:1::1/64

安全区域:Trust

FW_B

接口号:GigabitEthernet 1/0/1

IP地址:9:3::2/64

安全区域:Untrust

接口号:GigabitEthernet 1/0/3

IP地址:9:2::1/64

安全区域:Trust

FW_C

接口号:GigabitEthernet 1/0/1

IP地址:9:1::2/64

安全区域:Untrust

接口号:GigabitEthernet 1/0/3

IP地址:9:2::2/64

安全区域:Trust

配置思路

采用如下思路配置BGP4+基本功能:

  1. 配置各接口基本参数,实现互连链路互通。
  2. 配置域间安全策略,保证内网用户能够访问Internet资源。
  3. 在FW_A、FW_B、FW_C之间配置IBGP连接。

  4. 在Router和FW_A之间配置EBGP连接。

 

操作步骤

  1. 配置各接口的IPv6地址,如图1所示。

     

    # 配置FW_A。

    <FW> system-view
    [FW] sysname FW_A
    [FW_A] ipv6
    [FW_A] interface GigabitEthernet1/0/1
    [FW_A-GigabitEthernet1/0/1] ipv6 enable
    [FW_A-GigabitEthernet1/0/1] ipv6 address 10::1 64
    [FW_A-GigabitEthernet1/0/1] quit
    [FW_A] interface GigabitEthernet1/0/2
    [FW_A-GigabitEthernet1/0/2] ipv6 enable
    [FW_A-GigabitEthernet1/0/2] ipv6 address 9:3::1 64
    [FW_A-GigabitEthernet1/0/2] quit
    [FW_A] interface GigabitEthernet1/0/3
    [FW_A-GigabitEthernet1/0/3] ipv6 enable
    [FW_A-GigabitEthernet1/0/3] ipv6 address 9:1::1 64
    [FW_A-GigabitEthernet1/0/3] quit

    # 配置FW_B。

    <FW> system-view
    [FW] sysname FW_B
    [FW_B] ipv6
    [FW_B] interface GigabitEthernet1/0/1
    [FW_B-GigabitEthernet1/0/1] ipv6 enable
    [FW_B-GigabitEthernet1/0/1] ipv6 address 9:3::2 64
    [FW_B-GigabitEthernet1/0/1] quit
    [FW_B] interface GigabitEthernet1/0/3
    [FW_B-GigabitEthernet1/0/3] ipv6 enable
    [FW_B-GigabitEthernet1/0/3] ipv6 address 9:2::1 64
    [FW_B-GigabitEthernet1/0/3] quit
    

    # 配置FW_C。

    <FW> system-view
    [FW] sysname FW_C
    [FW_C] ipv6
    [FW_C] interface GigabitEthernet1/0/1
    [FW_C-GigabitEthernet1/0/1] ipv6 enable
    [FW_C-GigabitEthernet1/0/1] ipv6 address 9:1::2 64
    [FW_C-GigabitEthernet1/0/1] quit
    [FW_C] interface GigabitEthernet1/0/3
    [FW_C-GigabitEthernet1/0/3] ipv6 enable
    [FW_C-GigabitEthernet1/0/3] ipv6 address 9:2::2 64
    [FW_C-GigabitEthernet1/0/3] quit
    

     

  2. 将各接口加入安全区域。如图1所示。

     

    # 配置FW_A。

    [FW_A] firewall zone trust
    [FW_A-zone-trust] add interface GigabitEthernet1/0/2
    [FW_A-zone-trust] add interface GigabitEthernet1/0/3
    [FW_A-zone-trust] quit
    [FW_A] firewall zone untrust
    [FW_A-zone-untrust] add interface GigabitEthernet1/0/1
    [FW_A-zone-untrust] quit

    # 配置FW_B。

    [FW_B] firewall zone trust
    [FW_B-zone-trust] add interface GigabitEthernet1/0/3
    [FW_B-zone-trust] quit
    [FW_B] firewall zone untrust
    [FW_B-zone-untrust] add interface GigabitEthernet1/0/1
    [FW_B-zone-untrust] quit

    # 配置FW_C。

    [FW_C] firewall zone trust
    [FW_C-zone-trust] add interface GigabitEthernet1/0/3
    [FW_C-zone-trust] quit
    [FW_C] firewall zone untrust
    [FW_C-zone-untrust] add interface GigabitEthernet1/0/1
    [FW_C-zone-untrust] quit

     

  3. 开启域间安全策略。以FW_A为例,其余设备配置与此相同。

     

    此处只给出了完成本举例所需的安全策略的基本参数,具体使用时,请根据实际情况设置安全策略中的其他参数。

    # 开启从Trust到Untrust、从Local到Untrust和从Untrust到Local安全区域的域间策略,保证报文能够正常发送。

    [FW_A] security-policy
    [FW_A-policy-security] rule name policy_sec_1
    [FW_A-policy-security-rule-policy_sec_1] source-zone trust
    [FW_A-policy-security-rule-policy_sec_1] destination-zone untrust
    [FW_A-policy-security-rule-policy_sec_1] action permit
    [FW_A-policy-security-rule-policy_sec_1] quit
    [FW_A-policy-security] rule name policy_sec_2
    [FW_A-policy-security-rule-policy_sec_2] source-zone local untrust
    [FW_A-policy-security-rule-policy_sec_2] destination-zone local untrust
    [FW_A-policy-security-rule-policy_sec_2] action permit
    [FW_A-policy-security-rule-policy_sec_2] quit
    [FW_A-policy-security] quit

     

  4. 配置IBGP。

     

    # 配置FW_A。

    [FW_A] ipv6
    [FW_A] bgp 10
    [FW_A-bgp] router-id 2.2.2.2
    [FW_A-bgp] peer 9:1::2 as-number 10
    [FW_A-bgp] peer 9:3::2 as-number 10
    [FW_A-bgp] ipv6-family
    [FW_A-bgp-af-ipv6] peer 9:1::2 enable
    [FW_A-bgp-af-ipv6] peer 9:3::2 enable
    [FW_A-bgp-af-ipv6] network 9:1:: 64
    [FW_A-bgp-af-ipv6] network 9:3:: 64

    # 配置FW_B。

    [FW_B] ipv6
    [FW_B] bgp 10
    [FW_B-bgp] router-id 3.3.3.3
    [FW_B-bgp] peer 9:3::1 as-number 10
    [FW_B-bgp] peer 9:2::2 as-number 10
    [FW_B-bgp] ipv6-family
    [FW_B-bgp-af-ipv6] peer 9:3::1 enable
    [FW_B-bgp-af-ipv6] peer 9:2::2 enable
    [FW_B-bgp-af-ipv6] network 9:3:: 64
    [FW_B-bgp-af-ipv6] network 9:2:: 64

    # 配置FW_C。

    [FW_C] ipv6
    [FW_C] bgp 10
    [FW_C-bgp] router-id 4.4.4.4
    [FW_C-bgp] peer 9:1::1 as-number 10
    [FW_C-bgp] peer 9:2::1 as-number 10
    [FW_C-bgp] ipv6-family
    [FW_C-bgp-af-ipv6] peer 9:1::1 enable
    [FW_C-bgp-af-ipv6] peer 9:2::1 enable
    [FW_C-bgp-af-ipv6] network 9:2:: 64
    [FW_C-bgp-af-ipv6] network 9:1:: 64

     

  5. 配置FW_A的EBGP。

     

    [FW_A] bgp 10
    [FW_A-bgp] peer 10::2 as-number 20
    [FW_A-bgp] ipv6-family
    [FW_A-bgp-af-ipv6] peer 10::2 enable
    [FW_A-bgp-af-ipv6] network 10:: 64

     

 

结果验证

  • 查看BGP4+对等体的连接状态,以FW_A为例。

    出现以下显示说明FW_A到FW_B、FW_C以及Router的BGP4+连接均已建立。

    [FW_A] display bgp ipv6 peer
    
     BGP local router ID : 2.2.2.2
     Local AS number : 10
     Total number of peers : 3                 Peers in established state : 3
    
      Peer            V    AS  MsgRcvd  MsgSent  OutQ  Up/Down       State PrefRcv
    
      9:1::2          4 10        8        9     0 00:05:37 Established       0
      9:3::2          4 10        2        2     0 00:00:09 Established       0
      10::2           4 20        9        7     0 00:05:38 Established       0
    
  • 查看Router的路由表,可以看出Router学到了AS 10中的路由。

 

配置脚本

  • FW_A的配置脚本

    #
     sysname FW_A
    #
     ipv6
    #
    interface GigabitEthernet 1/0/1
     ipv6 enable
     ipv6 address 10::1/64
    #
    interface GigabitEthernet 1/0/2
     ipv6 enable
     ipv6 address 9:3::1/64
    #
    interface GigabitEthernet 1/0/3
     ipv6 enable
     ipv6 address 9:1::1/64
    #
    firewall zone trust
     set priority 85
     add interface GigabitEthernet 1/0/2
     add interface GigabitEthernet 1/0/3
    #
    firewall zone untrust 
     set priority 5 
     add interface GigabitEthernet 1/0/1
    #
    bgp 10
     router-id 2.2.2.2
     peer 9:1::2 as-number 10
     peer 9:3::2 as-number 10
     peer 10::2 as-number 20
     ipv4-family
      undo synchronization
    #
     ipv6-family
      network 9:1:: 64
      network 9:3:: 64
      network 10:: 64
      peer 9:1::2 enable
      peer 9:3::2 enable
      peer 10::2 enable
    #
    security-policy
      rule name policy_sec_1
        source-zone trust
        destination-zone untrust
        action permit
      rule name policy_sec_2
        source-zone local
        source-zone untrust
        destination-zone local
        destination-zone untrust
        action permit
    
  • FW_B的配置脚本

    #
     sysname FW_B
    #
     ipv6
    #
    interface GigabitEthernet 1/0/1
     ipv6 enable
     ipv6 address 9:3::2/64
    #
    interface GigabitEthernet 1/0/3
     ipv6 enable
     ipv6 address 9:2::1/64
    #
    firewall zone trust
     set priority 85
     add interface GigabitEthernet 1/0/3
    #
    firewall zone untrust 
     set priority 5 
     add interface GigabitEthernet 1/0/1
    #
    bgp 10
    router-id 3.3.3.3
     peer 9:2::2 as-number 10
     peer 9:3::1 as-number 10
    #
     ipv4-family
      undo synchronization
    #
     ipv6-family
      network 9:2:: 64
      network 9:3:: 64
      peer 9:2::2 enable
      peer 9:3::1 enable
    #
    security-policy
      rule name policy_sec_1
        source-zone trust
        destination-zone untrust
        action permit
      rule name policy_sec_2
        source-zone local
        source-zone untrust
        destination-zone local
        destination-zone untrust
        action permit
    
  • FW_C的配置脚本

    #
     sysname FW_C
    #
     ipv6
    #
    interface GigabitEthernet 1/0/1
     ipv6 enable
     ipv6 address 9:1::2/64
    #
    interface GigabitEthernet 1/0/3
     ipv6 enable
     ipv6 address 9:2::2/64
    #
    firewall zone trust
     set priority 85
     add interface GigabitEthernet 1/0/3
    #
    firewall zone untrust 
     set priority 5 
     add interface GigabitEthernet 1/0/1
    #
    bgp 10
     router-id 4.4.4.4
     peer 9:1::1 as-number 10
     peer 9:2::1 as-number 10
    #
     ipv4-family
      undo synchronization
    #
     ipv6-family
      network 9:1:: 64
      network 9:2:: 64
      peer 9:1::1 enable
      peer 9:2::1 enable
    #
    security-policy
      rule name policy_sec_1
        source-zone trust
        destination-zone untrust
        action permit
      rule name policy_sec_2
        source-zone local
        source-zone untrust
        destination-zone local
        destination-zone untrust
        action permit